$OpenBSD: patch-qca-ossl_cpp,v 1.5 2015/07/18 22:52:43 jca Exp $

- allow building against OpenSSL without MD2 or SSLv2/3 support
- restrict visible ciphers not to TLSv1.0 but to TLSv1+; note that this
  relies on the fact that SSLv2 and SSLv3 are disabled by default in
  LibreSSL

--- qca-ossl.cpp.orig	Mon Dec 10 23:34:57 2007
+++ qca-ossl.cpp	Sat Jul 18 16:51:22 2015
@@ -1771,8 +1771,10 @@ class RSAKey : public RSAContext (public)
 			md = EVP_sha1();
 		else if(alg == EMSA3_MD5)
 			md = EVP_md5();
+#ifdef MD2_DIGEST_LENGTH
 		else if(alg == EMSA3_MD2)
 			md = EVP_md2();
+#endif
 		else if(alg == EMSA3_RIPEMD160)
 			md = EVP_ripemd160();
 		else if(alg == EMSA3_Raw)
@@ -1789,8 +1791,10 @@ class RSAKey : public RSAContext (public)
 			md = EVP_sha1();
 		else if(alg == EMSA3_MD5)
 			md = EVP_md5();
+#ifdef MD2_DIGEST_LENGTH
 		else if(alg == EMSA3_MD2)
 			md = EVP_md2();
+#endif
 		else if(alg == EMSA3_RIPEMD160)
 			md = EVP_ripemd160();
 		else if(alg == EMSA3_Raw)
@@ -3385,9 +3389,11 @@ class MyCertContext : public CertContext (public)
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef MD2_DIGEST_LENGTH
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -3871,9 +3877,11 @@ class MyCSRContext : public CSRContext (public)
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef MD2_DIGEST_LENGTH
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -4061,9 +4069,11 @@ class MyCRLContext : public CRLContext (public)
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef MD2_DIGEST_LENGTH
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -5133,14 +5143,18 @@ class MyTLSContext : public TLSContext (public)
 		OpenSSL_add_ssl_algorithms();
 		SSL_CTX *ctx = 0;
 		switch (version) {
+#ifndef OPENSSL_NO_SSL2
 		case TLS::SSL_v2:
 			ctx = SSL_CTX_new(SSLv2_client_method());
 			break;
+#endif
+#ifndef OPENSSL_NO_SSL3
 		case TLS::SSL_v3:
 			ctx = SSL_CTX_new(SSLv3_client_method());
 			break;
+#endif
 		case TLS::TLS_v1:
-			ctx = SSL_CTX_new(TLSv1_client_method());
+			ctx = SSL_CTX_new(SSLv23_client_method());
 			break;
 		case TLS::DTLS_v1:
 		default:
@@ -5538,7 +5552,7 @@ class MyTLSContext : public TLSContext (public)
 	{
 		SessionInfo sessInfo;
 
-		sessInfo.isCompressed = (0 != ssl->session->compress_meth);
+		sessInfo.isCompressed = false;
 
 		if (ssl->version == TLS1_VERSION)
 			sessInfo.version = TLS::TLS_v1;
@@ -6582,7 +6596,9 @@ static QStringList all_hash_types()
 	list += "sha1";
 	list += "sha0";
 	list += "ripemd160";
+#ifdef MD2_DIGEST_LENGTH
 	list += "md2";
+#endif
 	list += "md4";
 	list += "md5";
 #ifdef SHA224_DIGEST_LENGTH
@@ -6757,7 +6773,9 @@ class opensslProvider : public Provider (public)
 		list += all_hash_types();
 		list += all_mac_types();
 		list += all_cipher_types();
+#ifdef MD2_DIGEST_LENGTH
 		list += "pbkdf1(md2)";
+#endif
 		list += "pbkdf1(sha1)";
 		list += "pbkdf2(sha1)";
 		list += "pkey";
@@ -6788,8 +6806,10 @@ class opensslProvider : public Provider (public)
 			return new opensslHashContext( EVP_sha(), this, type);
 		else if ( type == "ripemd160" )
 			return new opensslHashContext( EVP_ripemd160(), this, type);
+#ifdef MD2_DIGEST_LENGTH
 		else if ( type == "md2" )
 			return new opensslHashContext( EVP_md2(), this, type);
+#endif
 		else if ( type == "md4" )
 			return new opensslHashContext( EVP_md4(), this, type);
 		else if ( type == "md5" )
@@ -6816,8 +6836,10 @@ class opensslProvider : public Provider (public)
 #endif
 		else if ( type == "pbkdf1(sha1)" )
 			return new opensslPbkdf1Context( EVP_sha1(), this, type );
+#ifdef MD2_DIGEST_LENGTH
 		else if ( type == "pbkdf1(md2)" )
 			return new opensslPbkdf1Context( EVP_md2(), this, type );
+#endif
 		else if ( type == "pbkdf2(sha1)" )
 			return new opensslPbkdf2Context( this, type );
 		else if ( type == "hmac(md5)" )
@@ -6934,7 +6956,7 @@ class opensslProvider : public Provider (public)
 			return new CMSContext( this );
 		else if ( type == "ca" )
 			return new MyCAContext( this );
-		return 0;
+		return NULL;
 	}
 };
 
